PoYo Wan 2.6 API

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward PoYo Wan 2.6 video-generation helper that sends user-provided payloads to PoYo using a disclosed API key and curl.

Install this only if you intend to submit Wan 2.6 jobs to PoYo. Store POYO_API_KEY securely, prefer an environment variable over passing the key on the command line, and review payloads before submission, especially prompts, media URLs, and callback_url values.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 86% confidence
Finding: The skill explicitly instructs use of shell tooling (`curl`) and a submission script, but it does not declare any permissions despite requiring command execution capabilities. This creates a transparency and policy-enforcement gap: a caller or platform may not realize the skill can invoke shell commands and transmit data externally, increasing the chance of unintended command execution or unsafe handling of user-controlled inputs in downstream scripts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal